The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)
Implemented enhancements:
Closed issues:
Merged pull requests:
This release includes a lot of small fixes. See the auto-generated for the complete changes. From those, here are two notable improvements:
In late 2021, the library log4j version 2 was vulnerable to JDNI/LDAP "injection". The Log4j2 project has been using FSB (at least once). I later found out that we had a small signature issue that could have warned of the Context.lookup()
method risks. #670 for more info.
Full Changelog: https://github.com/find-sec-bugs/find-sec-bugs/compare/version-1.11.0...version-1.12.0
>md5sum findsecbugs-cli-1.12.0.zip
3b27a4374ac89146574a6318cfc53529 *findsecbugs-cli-1.12.0.zip
>sha1sum findsecbugs-cli-1.12.0.zip
cc382af0fae095afa7d41eb14d105fb909d8bc5b *findsecbugs-cli-1.12.0.zip
In this new release of Find Security Bugs (FSB), you'll find few new detectors long with improvement to existing ones. Here is a summary of what to expect from this update.
A new experimental detector was created to highlight Unicode issue. Its report are shown only if you set the minimum confidence to Low (default setting is Medium). For applications integrating Groovy, a new detectors will find scripts being evaluate at runtime (analog to eval functions in scripting languages). Vert.x SQL api are now supported. Finally, Hardcoded passwords in JSch library are now detected.
Deserialization detectors now support ObjectInput
and ObjectInputStream
. Thanks to @nichollt for the idea.
For application making outbound HTTP request, the recommended way to build URI/URL is to use the URIBuilder. This third party class provided a DSL that will behave similarly to prepare statements APIs. All parameters pass to this DSL is properly encoded. This allows FSB to remove false positive with confidence.
StringSubstitutor / StrSubstitutor are now tracked properly for all injection detectors.
This version is compatible with SpotBugs 4.0.0. The command line client (see attached package) is including the latest version.
Implemented enhancements:
Fixed bugs:
Closed issues:
Merged pull requests:
> md5sum findsecbugs-cli-1.11.0.zip
241c1f9138ee903d9d9f5e7cd00a93bf *findsecbugs-cli-1.11.0.zip
> sha1sum findsecbugs-cli-1.11.0.zip
910f38b746257d62de33ca83f257426e74e02033 *findsecbugs-cli-1.11.0.zip
This minor update is there to introduce a fix : https://github.com/find-sec-bugs/find-sec-bugs/issues/526
A new detector Pebble template injection is also added. Thanks to @sa160690.
Messages from many detectors were also updated. Multiple broken links or out-dated links were corrected. https://github.com/find-sec-bugs/find-sec-bugs/pull/528
> sha1sum findsecbugs-cli-1.10.1.zip
fad67bc6c31032dd3cf7419c1f4abe2376658757 *findsecbugs-cli-1.10.1.zip
> md5sum findsecbugs-cli-1.10.1.zip
1eecbef120b61e0ce4870c38fe28fccd *findsecbugs-cli-1.10.1.zip
New bug detectors (or important improvements)
This release is the result of various contributors : jie-lin, kulinacs, mkotyk, topolik, bananayong, nigredo-tori and thiyagu-7. With this release 19th release, we are reaching 51 contributors.
A status update was published about Find Security Bugs arrival in the OWASP family.
Implemented enhancements:
Fixed bugs:
Closed issues:
Merged pull requests:
The project is now an OWASP project. After 7 years of development, this transition was made mainly to reiterate the project goal which is to provide a solid static analyzer accessible to all Java developers. There is hope that this could increase the project visibility which means more users and also keep the flow of external contributions.
For this release, the support for Kotlin was increased greatly thanks to mario-areias. An important bug fix was made for the Linux CLI. Few improvements were made to remove recurrent false-positive related to XSS in JSP, deserialization and insecure cyphers.
An effort was made at the end of this milestone to improve the descriptions. This effort will continue in the next releases. Don't hesitate to send PR for any grammar errors or typos. Ref: complete descriptions and file to edit
PS: I know that wasps (OWASP mascot) are not the same as bees. 😆
(In order of contribution date)
Implemented enhancements:
Fixed bugs:
Closed issues:
Merged pull requests:
> sha1sum findsecbugs-cli-1.9.0.zip
27b35c76f45d4da063e4a85ffebf491bc4890763 *findsecbugs-cli-1.9.0.zip
> md5sum findsecbugs-cli-1.9.0.zip
cc7c052184cc94e316908ddb58e2afae *findsecbugs-cli-1.9.0.zip
> sha1sum findsecbugs-cli-1.9.0-fix1.zip
f596059c106675ff93aa252cd99f923b480f1e30 *findsecbugs-cli-1.9.0-fix1.zip
> md5sum findsecbugs-cli-1.9.0-fix1.zip
795a404bc73493e32bf86ba4655901f0 *findsecbugs-cli-1.9.0-fix1.zip
> md5sum findsecbugs-cli-1.9.0-fix2.zip
0d92d567ebc6ec88b1ce6d61b8d40d48 *findsecbugs-cli-1.9.0-fix2.zip
> sha1sum findsecbugs-cli-1.9.0-fix2.zip
998437752ebfbed1cace3c9d73cc4644fb3f1545 *findsecbugs-cli-1.9.0-fix2.zip
While SQL injection is considered by many as a (mostly) solved problem, injection vulnerabilities are still current because of all the injections possible in other API receiving SpEL or OGNL expressions, HTML (XSS), SMTP header or specialized query languages. In this release, new detectors and updates on old ones are likely to catch critical vulnerabilities that may lead to Remote Code Execution or sensitive data exposure.
Some modifications were made to support some edge cases of Kotlin. If you are a Kotlin developers, you should benefit greatly from this release. (Fix #387) (Tests #407, #409, #410)
Many built-in Java XML API susceptible to XXE were added to existing detectors. #138
Find Security Bugs is now automatically tested against Java 10. We will continue to compile the plugin with Java 8 to maximize the compatibility.
Thanks to the numerous contributors who have pushed changes that were integrate in this version:
Implemented enhancements:
Intrinsics.areEqual\(\)
#387
Fixed bugs:
Closed issues:
Merged pull requests:
74a7fc48d07c50311e052fdf4c7ac0ee675876fa *findsecbugs-cli-1.8.0.zip
SpotBugs first stable release is approaching (3.1.0). The build is now using SpotBugs rather than FindBugs. Nevertheless, Find Security Bugs will continue to be compatible with FindBugs as the API stays the same. If you don't migrate to SpotBugs, you will be missing the Java 8 compatibility.
What's new in this release? Many new signatures - 94 to be exact - have been added including Android SQL APIs and Struts 2 APIs receiving OGNL expression. Improvements have been made to API affected by SSRF for Play as well as J2EE API.
Special Thanks to the contributors of this release : @javabeanz, @topolik, @MaxNad, @dbaxa, @ln2v, @gredler, @dreis2211, @johnhawes, @obilodeau and @xsun12. Also thanks to @VinodAnandan for spotting a regression with OWASP Benchmark project.
Implemented enhancements:
Closed issues:
Merged pull requests:
Hashes:
dc733590c116fd2fb37fda434b76b7fecd90664456219cab5d135d73ca0467df *findsecbugs-cli-1.7.1.zip
Most of the new detectors in this release are contribution from new developers. Notably @plr0man, @ptamarit, @MaxNad and @edrdo.
The new detectors are covering a wide range of vulnerability types. See the changelog below.
In the news, a team of researcher from Google and Centrum Wiskunde & Informatica have executed a previously theoretical attack to find a first collision. If you think SHA-1 collisions can affect your application, you can look at the report of the bug Weak Message Digest SHA-1.
Implemented enhancements:
Fixed bugs:
Closed issues:
Merged pull requests:
A couple huge improvements are bundled in this release including:
These are the major new detectors but, as usual, many false positive patterns are now supported and avoided.
Quick note on the version notation: The previous releases were made on minor version (1.4.1-1.4.6) even though they include major improvements. It was never really a big concern because no major issue required to be fixed. This may have brought some confusion to some users. The release plan is still to keep going forward and not maintain older versions. There should be no benifit to keep using an old version.
Implemented enhancements:
Fixed bugs:
Closed issues:
Merged pull requests: